Go to Case Study »
Despite their best efforts to create and maintain the most secure defense environment possible, many companies worry that their networks are not only vulnerable, but may already be compromised. Traditional detection methods are failing, and it is becoming clearer that attackers have a firm understanding of the detection methods deployed by many organizations.
Because technologies like AV, IDS and firewalls are known to attackers, it is trivial for them to bypass critical security defenses. IANS uses proven hunt teaming methods to track down attackers that have successfully flown under the radar and breached your environment, then delivers a detailed report with a Full ELK VM that includes hunt teaming filters, reports, and analysis scripts.
To uncover highly effective and targeted attacks, IANS reviews the top 1-2% of URLs (in terms of overall length) your company’s user workstations are visiting. Sophisticated attackers have been known to manipulate URLs in order to bypass URL filtering and monitoring software, a process that often leads to URLs which are highly obfuscated and long. This can be a warning sign pointing to abnormal traffic caused by attackers.
IANS then reviews egress connection logs to identify IP addresses that have consistent connections over a 24-hour period. This analysis reveals persistent outbound connections and identifies attacker command-and-control (C2) compromises.
When a system is compromised and a backdoor is installed, the backdoor commonly has a persistent connection, or at least a “beacon” at regular intervals. This behavior is in stark contrast with standard system and user traffic, which typically utilizes short-lived connections. Using Session Analysis, we can identify and address abnormal traffic matching known C2 patterns.
Multiple Concurrent Login Analysis
A common tactic used by attackers is to leverage captured credentials to pivot to other internal resources. When such attackers pivot they usually utilize normal methods, such as SMB, SSH and RDP, to access other resources and sensitive data. This is troubling because many IDS, IPS and firewall technologies will not flag these activities as abnormal.
This activity can be detected, however, through analysis of concurrent logins. When users logs on to a system, they usually access their local computer and a handful of resources, like file servers and printers. However, when attackers log onto a system, they tend to access dozens, if not hundreds, of resources. Our testing will determine any such abnormal behavior to help you understand who is on your network.